Tag Archives: passwords

DreamHost is making my life way more complicated

Argh – normally I like everything DreamHost does. They had a history of just making my life easier over time. Their plan was simple: unlimited email and storage for your website, a reasonable price.

But now, for the second time, they are taking away a feature that I use heavily! DreamHost is killing catch-all emails! This is terrible for me.

The short version: I own this domain and I get or send email from from anything@morelightmorelight – so honeybooboo@morelightmorelight gets to me and I could send you a mail from DarkCrushingVoid@morelight… This is fun, but where it is really useful is in dealing with all the damn signups online.

Everyone online wants you to sign in or sign up! The reason why isn’t always that they love you and want you to be a member, it is sometimes that they want to track you and sell your details to other businesses. Imagine that! Sometimes they are nice but they just don’t have great security and someone steals your email address from them. That’s how you get all that spam!

Stop for a minute and give Have I Been Pwned a check for your email address. Yeah.

The emails I use for talking to people I love and care about don’t show up here. For example:
Image showing that my primary email hasn't been in a data breach
But when I am forced to register with a service, I just make up an email address with their name in it and I make up a password just for them. When they get breached by hackers, they hackers can’t use that email or password on other services to get into more stuff. For example:
Image showing that an email and password associated with adobe was stolen from the adobe servers

The password with adobe and the the email address are disposable to me.
I filter out emails from places that have been breached by hackers.

And all is good! I have unique emails per place to log in, I have unique passwords per place to log in, and I have a way to respond to data breaches. But now, DreamHost is turning off this feature for me.

They will delete my email account in October if it isn’t converted over to a different email account. I have to figure out a way to create email accounts for all the logins I’ve had over the years or go change them on every site. It is going to be an incredible pain in the ass. So now, I have to start figuring out how to respond.

My likely plan:

  1. learn how to download all of my emails and get a way to analyze them.
  2. Figure out all the unique email addresses I get email at and mark them as keepers and personal. This will take coding.
  3. Create a main personal account
  4. Upload all my history back to this account and figure out how to sync that back with Thunderbird
  5. Create all the other personal accounts and forwards from all the other personal accounts to the main personal account. This will take coding.
  6. Create business accounts and forwards for each of them. This will take coding.
  7. Create a general new throwaway scheme for login emails
  8. Investigate whether it’s time to move to hosting that gives me more control or adapt to this and concentrate on other things in my life.

That last one is also important. When I was younger I did a lot of flexing in tech to do things myself so I could be super independent. This taught me TONS of things and is great! However, I can’t do everything, so I now make compromises so I can spend time on what matters most.

That’s the part that irks me. I am fine with adapting to the new business reality at DreamHost – but they don’t have a plan for me. I’m going to have to build my own tools and figure out my own way. I can do this, but I don’t want to! I’d rather spend this time building a website or helping people or being with my family.

Passwords – hard to do, important to get right.

Over on Staunchly Technical, Nate gives a rundown of his password scheme:

“Unique” memorized password: Google, Password manager(s), home server (exposed to Internet).

  • These are “master key” systems – if these are compromised then the hacker effectively has the ability to get my password to anything else. As a result, the password for these is not used on anything else (really, I ought to have a separate pw for each of these, but since they’re all so unrelated I’ve just got one for all 3).

Random stored individual passwords: All things potentially damaging (banks, brokerages, prosper, IRA, etc)

  • These are randomly generated 10-character passwords – they might get sniffed, but they’re not going to get hacked. These get saved in the Firefox password DB and are also in my password manager program (Keepass, for anyone who cares)

Work password: all things work-related

  • Everything I do at work requires me to change my password every 3 months – since I have trouble with multiple passwords anyway, I just set them all to the same thing. Only one of them can be accessed from outside the intranet anyway, and my VPN is protected by a keyfob.

Easy (but still relatively secure) non-changing password: social networks and anything else that can’t cost me money or too much heartache.

Useless password: sites that I really don’t care about and/or don’t trust.

Nate’s a really smart guy, so he wouldn’t be spending all this time thinking and writing about it unless it was important.  Why is he using so many different passwords?

What’s going on here

He’s segregating them into security zones.  The most important one is his email or his password system manager.  If someone gets the key to his email they can reset passwords to his bank or investment accounts and the password reset email goes where?  That’s right.

When Gawker’s poor security and  taunting of 4chan led to the usernames and passwords of every user being posted online, it was a very big deal.  Most people use the same username in many places – because they want a sense of identity and reputation that can follow them around.  Or maybe it’s just easier to remember.  That’s probably why most people use the same password everywhere.  Like their bank and gizmodo.  So those folks are having trouble.

Not Nate.  All they can do is post nasty comments on social networks under his name, and he can reset the password and get past that.

Also, not me.

My Suggestion

I tend not to use the same username on every website.  I register something using the site itself as a key.  So if my email is mk @ gmail.com (it isn’t) I would just use the gmail “name+” trick to register at lifehacker as mk+lifehacker@gmail.com. This lets you know who is selling your email address  or getting hacked into.

I manage my passwords differently, in a way you might use.  I use a passphrase and then I use select letters from the site to construct a unique password per site.  Like so:

My passphrase is a memorable poem or sentence. Let’s use the first two lines of Yeats’s The Second Coming

“Turning and turning in the widening gyre,The falcon cannot hear the falconer”

I take the first letter of every word to make my password: “TatitwgTfchtf”

That’s a big password and easy to remember!  But you want your password to be unique across many sites.  Let’s do that by pulling the site into it.

Lifehacker has 6 consonants and 4 vowels.  Let’s add those on to the end and the beginning: “6TatitwgTfchtf4”.  Even if someone gets your password and knows another account of yours, you have a unique password at the other account.  You could also put the first and last letter: “LTatitwgTfchtfR”.  Whatever you want to put a little extra randomness in the mix.

Want to see how strong your current favorite password is?  Go to the MicroSoft password checker and try it.

Practice good password safety – I don’t want to get emails from your account asking me to help split up your Nigerian fortune.

https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link